Fair and Efficient Secure Multiparty Computation with Reputation Systems

(1)

Fair and Efficient Secure Multiparty

Computation with Reputation Systems

?

Gilad Asharov, Yehuda Lindell, and Hila Zarosim??

Dept. of Computer Science, Bar-Ilan University,Israel

{asharog,zarosih}@cs.biu.ac.il, [email protected]

Abstract. A reputation system for a set of entities is essentially a list of scores that provides a measure of the reliability of each entity in the set. The score given to an entity can be interpreted (and in the reputation system literature it often is [12]) as the probability that an entity will behave honestly. In this paper, we ask whether or not it is possible to utilize reputation systems for carrying out secure multiparty computa-tion. We provide formal definitions of secure computation in this setting, and carry out a theoretical study of feasibility. We present almost tight results showing when it is and is not possible to achievefair secure com-putation in our model. We suggest applications for our model in settings where some information about the honesty of other parties is given. This can be preferable to the current situation where either an honest ma-jority is arbitrarily assumed, or a protocol that is secure for a dishonest majority is used and the efficiency and security guarantees (including fairness) of an honest majority are not obtained.

Keywords:secure multiparty computation, reputation systems, new models

1 Introduction

1.1 Background

In the setting of secure multiparty computation, a set of mutually distrustful partiesP1, . . . , Pmwish to compute a function of their inputs in the presence of adversarial behavior. The security requirements of such a computation are that nothing beyond the output should be learned (privacy), the output received must be correctly computed (correctness), the parties must choose their inputs independently of each other (independence of inputs), and either no parties

?_c _{IACR 2013. This article is the final version submitted by the authors to the IACR} and to Verlag on September 9, 2013. The version published by Springer-Verlag is available at 10.1007/978-3-642-42045-0 11. This research was supported by the European Research Council under the European Union’s Seventh Framework Programme (FP/2007-2013) / ERC Grant Agreement n. 239868.

??

(2)

receive output or all parties receive output (fairness). The formal definition of security requires that the result of a secure protocol be like the outcome of an ideal execution where an incorruptible trusted party is used to compute the function for all the parties. We remark that if there is no honest majority, then it is impossible to achieve fairness in general [8].

Under the assumption that the majority of the parties are honest, there exist protocols with full security [3, 7, 15]. However, the security of known protocols totally collapses when this assumption does not hold; in particular, the adversary can learn the inputs of the honest parties. Based on this, it may seem prudent to use protocols that guarantee security except for fairness when any number of parties are corrupted [15]. Unfortunately, all known protocols of this type have the property that just one corrupted party can prevent the parties from terminating successfully, and can even breach fairness. Moreover, it is known that there exist no protocols that simultaneously achieve full security for the case of honest majority, and security-with-abort (i.e., without fairness) when there is no honest majority [18]. This leads to the following unfortunate situation: the parties need to make a decision in advance whether to run a protocol that is secure as long as there is an honest majority and thereby risk losing privacy if they are wrong, or to run a protocol that is secure for any number of corruptions and thereby give up on any hope of obtaining fairness. To make things worse,

this decision is essentially made with no concrete information.

Reputation systems.A reputation system is a system whose aim is to predict agents’ behavior in future transactions. Such systems evaluate the data about agents’ previous transactions and estimate the probability that an agent will behave honestly or dishonestly in future transactions [12]. Reputation systems are very popular today in the electronic commerce market and in peer to peer systems [2]. They are used in these contexts to choose which vendors are trust-worthy, to determine the level of service obtained by a peer, and more. There is considerable work on how to construct reliable reputation systems, maintain them and so on. Such systems provide us with information regarding the honesty of parties, and therefore could be utilized.

Reputation systems and secure computation.In this paper, we study the use of reputation systems in order to carry out secure multiparty computation. We consider a model where all parties are given areputation vector(r1, . . . , rm) with the interpretation that the probability that party Pi is honest isri. An-other possible interpretation of this model is that there exists an adversary who attempts to corrupt as many parties as possible. Then, ri is the probability that party Pi remains uncorrupted, and can depend on the security measures employed by partyPi. The main question that we ask is:

Can reputation systems be utilized in order to achieve fair and efficient secure multiparty computation?

(3)

to achieve more than is possible in the standard model. For example, it may be possible to use protocols that require an honest majority (that are more efficient than those for a dishonest majority, and in addition also guarantee fairness), without just arbitrarily hoping that a majority of the parties are honest. It is important that this actually models a more general setting than just that of reputation systems; see below.

1.2 Our Results

Our main contributions are as follows. First, we suggest this novel model for secure computation and provide formal definitions of security in this model. Next, we study the problem of secure computation with reputation systems from a theoretical perspective. Specifically, we ask under what conditions on the reputation vector it is possible to achieve fair secure multiparty computation. We stress that our focus is on fairness since without this requirement one can just ignore the reputation system entirely and run a protocol like [15] that assumes no honest majority and guarantees security without fairness. We present both feasibility and impossibility results for this setting.

Regarding feasibility, we provide a criterion for when the reputations are such that there exists a subset of parties for which a majority are honest, except with negligible probability. Thus, when a reputation vector fulfills the criterion, it is possible to have this subset run a secure protocol that assumes an honest majority. Using the protocol of [10], this subset can be used to run the protocol for many other parties who just provide input and receive output (and it does not matter how many of these other parties are corrupted). Regarding impossibility, we present another criterion on the reputations and show that when this criterion is fulfilled it is impossible to securely toss a coin. This is proven by showing a reduction to the case of two-party coin tossing in the standard model of secure computation, for which the impossibility of fair coin tossing is well known [8]. Interestingly, we show that in the case of constant reputation values (that do not depend on the security parameter), our characterization is tight. That is, we prove the following very informally stated theorem:

Theorem 1.1 (Feasibility Characterization – Informal Statement) Let

Rep be a reputation system. Then, there exist protocols for securely computing every family of functionalitiesF with complete fairness with respect toRepif and only if the number of parties with reputation greater than1/2is superlogarithmic in the security parametern.

As we have mentioned, the positive result is obtained by showing that when the condition on the number of parties with reputation greater than 1/2 is ful-filled then there exists a subset of parties within which there is an honest ma-jority, except with negligible probability. Thus, standard protocols for secure computation with fairness can be run by this subset.

(4)

than just finding a subset for within which there is an honest majority. We show that in fact it isimpossibleto utilize reputations systems in any other way, and so our upper bound is almost tight.1

We also show how it is possible to use our feasibility result given a concrete reputation system; This is not immediate since our theoretical feasibility result is asymptotic also in the number of parties and requires finding a subset of parties whose reputation values fulfill a special property.

Reputation systems with correlations.The aforementioned basic model im-plicitly assumes independence between parties, since each partyPi is corrupted with probability ri as given in the reputation vector. This therefore does not model the case thatPi andPj are both corrupted if and only if somePk is cor-rupted. We therefore also study the more general setting where the probabilities that parties are corrupted may be correlated. In this setting, we show that as long as the correlations are “limited” in the sense that each party is dependent on only ` other parties, then an honest majority exists (except with negligi-ble probability) if the expected number of honest parties is “large enough”. We formally define what it means for correlations to be limited to `, and give a criterion on the required expected number of honest parties. We prove this using martingales.

We remark that although this extension allows a more general type of repu-tation system, real-world repurepu-tation systems work by providing a vector stating the individual probabilities that every party is corrupted. Thus, we view the basic model as our main model.

Covert security. We observe that the model of security in the presence of covert adversaries [1], where the guarantee is that any cheating is detected by honest parties, is particularly suited to our setting where there is an existing reputation system. This is due to the fact that any cheating will go immediately punished by reporting such a cheating to the reputation system manager. In addition, we observe that it is possible to use the protocol of [9] that is only twice as expensive as a semi-honest information-theoretic protocol, and provides a deterrent of 1/4 (meaning that any cheating is detected with probability at least 1/4). Such protocols have been proven to be highly efficient.

Applications to other settings. Our basic model for secure computation with reputations actually relates to any setting where additional information about the honesty of the parties is known. Two examples of such settings are as follows. First, consider an environment with an access control scheme where there is non-negligible probability of impersonation. Expressing this probability of cheating as a reputation system and using our protocols, it is possible to neutralize the threat from the impersonators. A second example relates to a set of servers where intrusion detection tools provide an indication as to whether

1

(5)

or not a given server has been compromised. Rather than naively assuming that a majority of the servers have not been compromised, it is possible to use the indicators of the intrusion detection system within our protocol in order to obtain a more robust solution. This setting fits in very nicely with numerous recent projects that offer a secure computation service, where a set of servers carry out the computation and security is guaranteed as long as a majority of them are not compromised [4, 5].

2 Definitions – The Basic Model

2.1 Reputation Vectors and Secure Computation

Letf be anm-ary functionality and letπbe anm-party protocol for computing

f. A reputation vector r for the protocol π is a vector in _Rm _{such that for} every i, the value ri indicates the probability that party Pi is honest in an execution ofπ. We assume thatris public information, and is obtained from an external authority that handles the reputation system. Our goal in this work is to study the advantages that such public information can provide in constructing secure protocols. We remark that reporting malicious behavior of individuals and maintaining the reputation system is out of this scope of this work. A huge amount of work deals with how to adapt the reputation of an individual in case it has been corrupted. Incorporating cryptography to this task and proving the system that indeed the entity behaves inappropriately, seems as an appealing future direction.

In the standard setting of secure computation, we are given a fixed m-ary function and our goal is to construct a securem-party protocolπfor computing

f. Thus the functionality to be computed is fixed and hence its arity is fixed as well. However, in this paper we wish to work asymptotically in the number of parties as well, and this makes things more complicated. The reason that we work in this way is so that we can reason about the probability that some subset of parties of a given size is corrupted. In order to see this, consider a protocol that is secure as long as the majority of the parties are honest. Then, consider the case that all parties are honest with probability 3/4 (and otherwise they are corrupted). Clearly, for a sufficiently large number of parties it is possible to apply the Chernoff bound in order to argue that the probability that there is no honest majority is negligible. However, this is only possible when we consider an asymptotic analysis over the number of parties. We stress that just like the use of a security parameter, in a real instantiation of a protocol one would set a concrete allowed error probability (e.g., 2−40_{) and verify that for the given real}

number of parties and their reputation vector, the protocol error is below this allowed probability.

(6)

only difference is the number of inputs (e.g., statistics like median, majority and so on). Formally,

Definition 2.1 LetF ={fm}m∈Nbe an infinite family of functionalities, where fm_{is an}_m_{-ary functionality. We say that}_F _{is a}_{PPT family of functionalities}_if

there exists a polynomial p(·)and a machine M that on inputnandm outputs a circuitCn,min time at most p(n+m)such that for everyx1, . . . , xm, it holds

that Cn,m(x1, . . . , xm) =f(m)(1n, x1, . . . , xm).

We define a family of protocolsΠ(m, n) in the same way, and say that it is polynomial timeif there exists a polynomial p(·) such that the running time of all parties is bounded byp(m+n). We will consider the case where the number of parties m=m(n) is bounded by a polynomial in the security parameter n. This makes sense since any given party cannot run more than poly(n) in any case, and so if the number of partiesm(n) is superpolynomial inn, then it will not be possible to even send a single message to all other parties.

Summary. We consider secure computation with m = m(n) parties, where

m : _N → _N is bounded by a polynomial in n.2 _{The parties run a protocol} Π(m, n), which is anm-party protocol with security parametern, that securely computes the functionalityfm_{in the class}_F₌_{_fm(n)_}

n∈N. Finally, the parties

have for auxiliary input a reputation vectorrm_{such that for every}_i_∈_[_m_{], the} probability that partyPiis corrupted isrmi . As we will see, we will require that for all large enough values ofn(which also determinesm=m(n)), the protocol

Π(m, n) securely computesfmwith respect to the reputation vectorrm. Thus, we also need to consider a family of reputation vectors, one for each value ofm; we denote the family of reputation vectors for everynbyRep={rm(n)_}

n∈N.

2.2 Security with Respect to a Reputation Vector

We assume that the reader is familiar with the standard definition of security for secure computation (see [14, 6]). We modify the definition to allow for a varying number of parties, that is,m(n) for a given functionm:N→N.

Definition 2.2 Let m:N→Nbe a function. We say that the protocol Π t(· )-securely computes the functionality F ={fm(n)_}

n∈N with respect to m(·), if for

everypptadversaryA, there exists apptsimulator S, such that for everyppt

distinguisherD, there exists a negligible functionµ(·)such that for everyn∈N,

every I⊆[m(n)]with |I| ≤t(m(n)), every x∈({0,1}∗)m(n) andz∈ {0,1}∗, it holds that:

Pr

D _idealF,S(z),I(n, m,x)

= 1 −Pr

D _realΠ,A(z),I(n, m,x)

= 1

≤µ(n).

2 _{We remark that the naive approach of taking}_m_{to be a parameter that is independent}

(7)

The protocol of GMW [15, 14] satisfies this definition, and is secure even when the number of parties m is a function of n, as long as it is polynomial. Formally, letΠ(m, n) denote the GMW protocol with the following change. Let F ={fm(n)_}

n∈N be a functionality. Then, upon input 1

n_,₁m_{, each party runs} the polynomial-time process to obtain the circuitCn,mfor computingfm. They then proceed to run the GMW protocol with mparties on this circuit. We are interested here in the version of GMW that assumes an honest majority and guarantees fairness. Thus, we have:

Fact 2.3 Let F = {fm(n)_}

n∈N be a functionality and let Π denote the GMW

protocol as described above forF. Then, for every polynomial m(·) :N→N, the

protocol Π(m, n) m(₂n)-securely computesF with respect tom(n).

Having defined security with respect to a varying number of parties, and thus actually being asymptotic also in the number of parties, we proceed to include the reputation system as well. The definition is the same except that instead of quantifying overall possible subsets of corrupted parties of a certain size, the set of corrupted parties is chosen probabilistically according to the given reputation vectorrm_{= (}_rm

1 , . . . , rmm). We denote byI ←rmthe subset I⊆[m] of parties chosen probabilistically where everyi∈Iwith probability 1−rm

i (independently of all j 6=i). We note that the output of_ideal and_real includes 1n_,₁m_,_x_{, z} andI. Thus the probabilistic choice ofIis given to the distinguisher.

Definition 2.4 (Security with Respect to (m(·),Rep)) Letm(·),Rep,Fand

Π be as above. We say thatΠ securely computesFwith respect to(m(·),Rep), if for every pptadversaryA, there exists a pptsimulator S, such that for every

ppt distinguisher D, there exists a negligible function µ(·) such that for every

n∈N, every x∈({0,1}∗)m(n) andz∈ {0,1}∗, it holds that:

_I Pr

←rm(n)

D _idealF,S(z),I(n, m(n),x)

= 1

− Pr I←rm(n)

D _realΠ,A(z),I(n, m(n),x)

= 1 ≤µ(n)

Observe that a protocol that is secure with respect to a reputation vector is allowed to always fail for a certain subsetI of corrupted parties, if that specific corruption subset is only obtained with negligible probability with the reputation vectors inRep.

3 A Theoretical Study

(8)

on a subset exists. We also present a condition on the reputation vectors for which it is impossible to securely compute the coin tossing functionality. This is shown by reduction to the impossibility of computing two-party coin tossing with fairness [8]. Finally, we show that when the reputations areconstant, then the above conditions are complementary. In the full version we give an example of a reputation vector with probabilities that depend onn for which neither of our conditions apply.

3.1 Feasibility

Reputation Vectors and Honest Majority We begin by presenting a simple property for evaluating whether or not a family of reputation vectors guarantees an honest majority, except with negligible probability. It is clear that if all parties have reputation ri > 1₂ + for some constant , then there will be an honest majority except with probability that is negligible in the number of parties; this can be seen by applying the Chernoff bound. Likewise, if at least two thirds of the parties have reputationri> 34+, then a similar calculation will yield an honest

majority except with negligible probability. However, these calculations require a large subset of parties to have high reputation, and the use of Chernoff requires that we use the same probability for a large set. Thus, this does not address the case that 1/4 of the parties have very high reputation (almost 1), another half have reputation 1/2, and the remaining 1/4 have low reputation. In order to consider this type of case, we use the Hoeffding Inequality [19]. This enables us to relate to the overall sum (or equivalently,average) of the reputations of all parties. Using this inequality, we obtain a very simple condition on reputation vectors. Namely, given a familyRep={rm(n)_}

n∈Nand a polynomialm=m(n),

we simply require that for all sufficiently largen’s, the average of the reputations

is greater than: 1/2 +ω

q

logm m

, or, equivalently, that the expected number

of honest parties is greater than:m/2 +ω √m·logm .

Before proceeding to the formal proof, we first state the Hoeffding Inequal-ity [19] (see also [13, Sec. 1.2]). In our specific case, all of the random variables have values between 0 and 1, and we therefore write a simplified inequality for this case.

Lemma 3.1 (The Hoeffding Inequality) LetX1, . . . , Xmbemindependent

random variables, each ranging over the (real) interval [0,1], and let µ = 1

m · E[Pm_i₌₁Xi] denote the expected value of the mean of these variables. Then, for

every >0,Prh

Pm i=1Xi

m −µ ≥

i

≤2·e−22_·m .

Claim 3.2 Let m : N → N be such that O(logm(n)) = O(logn), let Rep = {rm(n)_}

n∈Nbe a family of reputation vectors and letm=m(n). If it holds that

m X

i=1

r_im>jm

2 k

(9)

then there exists a negligible functionµ(n)such that for everyn,

Pr I←rm

h

|I| ≥jm 2

ki

< µ(n).

Proof: Fix n and let m = m(n). For every i ∈ [m], let Xi be a random variable that equals 1 when partyPiis honest, and 0 when it is corrupted. Thus, Pr[Xi= 1] =ri. Let ¯X =

Pm i=1Xi

m . Using linearity of expectations, we have that E[ ¯X] = _m1 Pm_i₌₁ri.

There is an honest majority when|I| < m₂; equivalently, when Pm_i₌₁Xi ≥ bm/2c+ 1. Let∆= (Pm_i₌₁ri)− bm/2c=m·E[ ¯X]− bm/2c. By the Hoeffding inequality:

Pr " _m

X

i=1

Xi≤jm

2 k # = Pr "_m X i=1

Xi−m·E_¯ X

≤jm

2 k

−m·E_¯ X # = Pr " m X i=1

Xi−m·E_¯ X ≤ −∆ # = Pr "m X i=1

Xi−m·E_¯ X

≤ −m·∆

m #

= Pr Pm

i=1Xi

m −E _¯

X

≤ −∆

m

≤2e−2∆

2 m _.

The above holds for allnandm=m(n). Asymptotically, by the assumption in the claim, ∆ = ω(√m·logm) and thus ∆_m2 = ω(logm). Hence we have that, Pr

|I| ≥m

2

= PrPm_i₌₁Xi≤ m

2

≤ 2e−2∆m2 < 2e−ω(logm) which is

negligible in m. Since m(·) is a function such that O(logm(n)) = O(logn), it holds that e−ω(logm(n)) _{is a function that is negligible in}_n_{, as required.}

Intuitively, in order to use the above for secure computation, all the parties need to do is to run a protocol that is secure with an honest majority (like GMW [15]). Since there is guaranteed to be an honest majority except with negligible probability, then this is fine. We stress, however, that for this to work we need to use Fact 2.3 since here we refer to the version of GMW for which the number of partiesmis aparameter, and is not fixed. We therefore conclude:

Theorem 3.3 LetF be as above, and letΠ={Π(m, n)}be the GMW protocol of Fact 2.3. Let m(·) be a function such that O(logm(n)) = O(logn), let m=

m(n)and letRep be as above. If

m X

i=1

r_im>jm

2 k

+ω(pmlogm),

thenΠ securely computesF with respect to(m(·),Rep).

(10)

Subset Honest Majority In order to achieve secure computation with com-plete fairness, it suffices to have a subset of parties for which there is guaranteed to be an honest majority except with negligible probability [10]. This works by having the subset carry out the actual computation for all other parties. Specif-ically, all the parties send shares of their inputs to the subset, who compute shares of the output and return them. In more detail, the protocol of [10] works as follows. LetT ⊆[m(n)] be the subset of parties that carry out the actual com-putation; these are called the servers. All the parties distribute their inputs to the set of serversTusing VSS (verifiable secret sharing) with threshold|T|/2+1. The servers then compute shares of the outputs by computing the circuit gate by gate. At the output phase, the servers send the appropriate shares of the outputs to each party, who then reconstructs the output. See [10] for details, and for a proof that the protocol is secure as long as a majority of the parties in T are honest. Thus, as long as there exists a subset of partiesT ⊆[m(n)] with honest majority except with negligible probability, there exists a protocol for thism(·) and family of reputation vectors. Thus, we have:

Claim 3.4 Let F, m(·) and Rep be as above. If there exists a negligible func-tion µ(·), such that for every n there exists a subset Tn ⊂ [m(n)] for which Pr_I←rm(n)

h

|Tn∩I| ≤ |T₂n| i

≤ µ(n), then there exists a (non-uniform) protocol

Π that securely computes F with respect to(m(·),Rep).

The proof of this claim is the same as the proof of Theorem 3.3: if there is a subset with an honest majority then the security of [10] holds, and the probability that there is not an honest majority is negligible. There is one subtle point here, which is that the protocol as described is non-uniform since the subset Tn may be different for every n. Nevertheless, as we will see below, our criteria for the existence of such a subset is such that an appropriate subsetTn can always be efficiently computed from the reputation vector rm(n)_(assuming

its existence).

Criteria on the reputation vector.Our next goal is to analyze when a family of reputation vectors guarantees a subset of parties with an honest majority, except with negligible probability. We first present the technical criteria, and then explain its significance below.

Claim 3.5 Letm(·), andRepbe as above. For everynand subsetTn ⊆[m(n)],

let∆Tn

def

= P

i∈Tnr

m(n)

i −

|Tn|

2 . If there exists a series of subsets {Tn}n∈N (each Tn⊆[m(n)]) such that

(∆_Tn)2

|Tn| =ω(logn), then there exists a negligible function

µ(·)such that for everyn,Pr_I←rm(n)

h

|I∩Tn|> |Tn|

2

i

≤µ(n).

(11)

when the party is honest and 0 when it is corrupted. An identical calculation to that carried out in the proof of Claim 3.2 yields that for everyn,

Pr I←rm(n)

|I∩Tn|> |Tn|

2

= Pr "

X

i∈Tn

Xi≤ |Tn|

2 #

≤2e− 2(_∆Tn)2

|Tn| _. ₍₁₎

Since(∆Tn)2

|Tn| =ω(logn), we conclude that PrI←rm(n)

h

|I∩Tn|> |T₂n| i

≤2e−ω(logn)

which is negligible inn, as required.

Combining Claim 3.5 with Claim 3.4 we conclude that:

Corollary 3.6 Let F,m(·) andRepbe as above. For every nand subset Tn⊆ [m(n)], let∆Tn

def

= P

i∈Tnr

m(n)

i −

|Tn|

2 . If there exists a series of subsets{Tn}n∈N

(each Tn ⊆ [m(n)]) such that

(∆_Tn)2

|Tn| = ω(logn), then there exists a

(non-uniform) protocol Π that securely computesF with respect to(m(·),Rep).

Efficiently finding the subset Tn.The non-uniformity of the protocol is due to the fact that in general, the subsetTnmay not be efficiently computable from the reputation vector. Nevertheless, we show now that assuming the existence of a subsetTn fulfilling the condition, it is easy to find a subsetTn0 (not necessarily equal toTn) that also fulfills the condition.

In order to see this, first note that for any sizet, the largest value of∆(over all subsetsTn⊆[m(n)] of size t) is obtained by taking thet indicesifor which

ri is largest. This follows since∆Tn = (

P

i∈Tnri)−

|Tn|

2 and so replacing an ri in the sum with a largerrj always gives a larger∆Tn. This gives the following

algorithm for finding an appropriate subset:

1. Given rm_{, sort the values in decreasing order; let}_r

i1, . . . , rim be the sorted

values.

2. For every j= 1, . . . , m, compute∆j= _Pj

k=1rik

−j

2.

3. Let j be the index for which (∆j)2

j is maximum over all j’s. Then, output the subsetT ={i1, . . . , ij}.

In order to see that this fulfills the requirement, observe that by the above observation, the maximum value of ∆Tn for all possible subsets Tn is one of

the values of ∆1, . . . , ∆m. Therefore, if there exists a subset that fulfills the requirement, the subset output by the algorithm also fulfills the requirement.

A Protocol for the Concrete Setting. Our protocols above are proven se-cure under the assumption that there exists a subset Tn fulfilling the required

(12)

to simply compute∆Tnand then check if 2e

−2(∆Tn_| )2

Tn| _{< δ}_{(this bound is obtained} similarly to the bound in the proof of Claim 3.2; see Eq. (1) for more details). By the algorithm given above for finding the subset, it is possible to efficiently find an appropriate Tn with an error below the allowed bound, if one exists. (If one does not exist, then the parties know that they cannot run the protocol.) We remark that for efficiency, it is best to take the smallest subset that gives a value below the allowed error parameter, since this means that the protocol run by the parties has less participants, and so is more efficient.

Inaccurate reputation system. Sometimes, the reputation system may be inaccurate, where the true reputation value of the party is-far from its public value. This error may arise in both directions, that is, sometimes the public reputation might be lower than the true one, and sometimes it might be higher. However, it is easy to generalize our results to deal with this case as well, while taking the reputation as the minimum guaranteed value and considering the worst case scenario.

3.2 Impossibility

We now turn to study under what conditions on the family of reputation vectors it is not possible to achieve (general) secure computation. We stress that we focus on the question of fairness here since one can always ignore the reputation vector and run a general protocol for secure computation with abort that is resilient to any number of corrupted parties. We therefore consider the problem of coin tossing, since it is impossible to fairly toss a coin without an honest majority [8] (or, more accurately, with only two parties).

Letm(·) be a function and letRep={rm(n)_}

n∈N be a family of reputation

vectors. For everyn, we denote byH1/2

n the set of all indicesiof partiesPi such that 1₂ < rm_i (n)<1. Recall thatm(·) denotes the number of parties and so the size of the set H1/2

n is bounded by m(n). We denote by F = {f m(n)

CT }n∈N the

coin-tossing functionality:f_CTm(n)(1n, . . . ,1n) = (U1, . . . , U1), whereU1 denotes a uniform random bit; i.e., the output of the function is the same random bit for all parties.

The idea behind our proof of impossibility is as follows. Consider first for simplicity the case that all the reputations are at most 1/2, and thus H1/2

n is empty. This means that the expected number of corrupted parties is at least half and thus, intuitively, any protocol that is secure with respect to such a reputation vector must be secure in the presence of a dishonest majority. We show that this implies the existence of a two party protocol for fair coin tossing. We also prove impossibility when H1/2

n is not empty but the probability of all parties inH1/2

n being corrupted is non-negligible. In this case, we show that since security must hold even when all parties inH1/2

n are corrupted, we can reduce to fair coin tossing even here.

(13)

n’s it holds that the probability that all parties in H1/2

n are corrupted is at least

1

p(n), then there does not exist a protocolΠ that securely computes the multiparty

coin-tossing functionalityF ={f_CTm(n)}n∈N with respect to(m(·),Rep).

Proof Sketch: Assume the existence of a protocol Π that securely computes the family F ={f_CTm(n)}n∈N with respect to a polynomial m(·) and a family of

reputation vectors Rep, and that there exists a polynomial p(·) such that for infinitely many n’s, Pr_I←rm(n)

H1/2

n ⊆I

≥ 1

p(n). We show that this implies the

existence of an infinitely-often3_{non-uniform two-party protocol}_π0₌_h_P0

0, P10ifor

the coin-tossing functionality that is secure in the presence of malicious adver-saries, in contradiction to the fact that fair coin tossing cannot be achieved [8].4

We start with an informal description of our transformation and we provide an informal explanation of why it works; we then describe in Protocol 3.8 the construction ofπ0, the formal proof appears in the full version of this paper. We begin with the simpler case whereRepis such that for infinitely many n’s,H1/2

n is empty; that is, each party is honest with probability at most 1/2. We use this to construct a two-party protocolπ0 in which on security parametern, the two partiesP₀0andP₁0emulate an execution of them=m(n)-party protocolΠ(m, n) by randomly choosing which of themparties inΠ(m, n) is under the control of

P00 and which of the parties inΠ is under the control ofP10. This can be done

by tossingmcoins, and giving the control of each (virtual) party for which the coin is 0 toP00, and the control of each (virtual) party for which the coin is 1 to P0

1. The two parties then emulate an execution of the m-party protocol Π for

the coin-tossing functionalityfm

CT, and determine the resulting bit according to the outputs of the (virtual) parties under their control.

Loosely speaking, we claim that the security ofΠimplies that this emulation is secure as well. To see this, note that in an execution ofπ0, them-party protocol

Π is invoked when each of the parties of Π is under the control of P₀0 with probability 1/2 and under the control ofP₁0with probability 1/2. Thus, for every adversary controlling one of the parties inπ0, we expect to have about half of the parties in Π under its control (since each party in Π is under the adversary’s control with probability 1/2). Since Π is secure with respect to a family of reputation vectorsRepsuch thatH1/2

n is empty (and so, r m i ≤

1

2 for everyi),Π

is secure when the expected number of the corrupted parties isP i(1−r

m i )≥

m

2,

and thus can handle the number of corruptions in the emulation carried out by the two party protocol π0.

So far, we have ignored two issues in the construction ofπ0. First, the coin tossing we use to decide which of the parties is controlled by P0

0 and which

is controlled by P0

1 is only secure with abort, and so an adversary controlling P₀0 orP₁0 might abort before the other party sees the output of the coin tossing. However, we show that in this case the honest party can simply output a random bit and this adds no bias to the output. Intuitively, the reason that this works

3 _{This means that the security of the protocol holds for infinitely many}_n_’s. 4

(14)

is that if a party aborts before beginning the emulation of Π, then it has no meaningful information and so cannot bias the outcome. Thus, the other party may just output a random bit. Second, after the emulation ends, each of the parties P₀0 and P₁0 should determine their outputs. Recall that each of the two parties has a subset of themparties inΠ under its control and hence at the end of the emulation ofΠ, each ofP₀0 andP₁0 sees a set of outputs (as each party in

Π has an output). However, we expect that when the parties play honestly, all parties inΠ output the same output. Moreover, even if some of the parties inΠ

are corrupted, by the security of Π, the output of the honest parties should be the same (except with a negligible probability). Therefore, intuitively it seems thatP00 (resp.P10) can determine its output by considering the set of all outputs

of the parties under its control. If all those parties have the same output, then

P00 outputs the common bit. Since we expect the event of not all parties having

the same output happen only with a negligible probability, in this caseP0

0(resp. P₁0) can just output a⊥symbol. However, when trying to formalize this idea, a technical problem arises because the expected number of honest outputs in π0

may be larger than the expected number of honest outputs in Π (recall that in

π0 the expected number of honest parties is m₂ whereas in a real execution of

Π the expected number of honest parties isP ir

m i ≤

m

2). We overcome this by

having the honest party in π0 not consider the set ofall outputs of the parties under its control, but rather choose a subset of the outputs that is expected to be of size P

ir m

i . To do this, the parties in π0 must know the vector rm and hence the protocol we construct is non-uniform.

So far we only discussed the case that for infinitely manyn’s,H1/2

n is empty. Now, assume that this does not hold and H1/2

n is non-empty. In this case, the construction of π0 fails because in the execution simulated byπ0, each party is corrupted with probability 1₂ whereas in the real execution ofΠ, we have parties whose probabilities to be corrupted are strictly less than 1₂. For example, assume that a certain party Pi in Π(m, n) is honest with probability 0.9 (and hence -corrupted with probability 0.1). However, by the wayπ0_{is defined, this party will} be under the control of the adversary with probability 1

2. In this case, it might

be that π0 is not secure even though Π is secure, simply because the party Pi is more likely to be corrupted inπ0 than inΠ(m, n). However, we show that if for infinitely many n’s, the probability of all parties in H1/2

n being corrupted is polynomial inn, thenΠ must remain (infinitely often) secure even conditioned on the event that the parties inH1/2

n are corrupted. This will imply that we can slightly modify the construction ofπ0 such that one of the parties always controls the parties inH1/2

n , and obtain that even though these parties are more likely to be corrupted whenπ0 simulates Π than in real executions ofΠ, the simulation carried out byπ0 still remains secure.

A formal construction ofπ0is given in Protocol 3.8 and the full proof thatπ0

(15)

PROTOCOL 3.8 (Protocolπ0=hP00, P 0

1ifor two-party coin-tossing)

– (Non-uniform) auxiliary input:1n_,_rm(n)_.

– The Protocol:

1. Set up subsets for emulation:Parties P00 and P

0

1 invoke m = m(n)

executions of thefCT2 functionality with security-with-abort in order to obtainmcoins; letb∈ {0,1}m_{be the resulting coins. If one of the} parties receives⊥(i.e., abort) for output, then it outputs a random bit and halts.

Otherwise, the parties defineI0={i|bi= 0}∪Hn1/2, andI1 = [m]\I0.

2. Emulate Π: The parties P00 and P10 emulate an execution Π =

Π(m(n), n) for computing fm

CT where P 0

0 controls the parties in I0

andP10 controls the parties inI1; all parties use input 1n.

3. Determine outputs:

(a) PartyP00 selects a subset S0 ⊆I0 of the (virtual) parties under

its control as follows. For everyi∈H1/2

n ,Pi is added toS0 with probability rim; for every i ∈ I0\H1n/2, Pi is added to S0 with probability 2rim (note that sincei6∈H

1/2

n , it holds thatrmi ≤ 12

and hence 2rm

i is a valid probability).

P00outputs the bitb∈ {0,1}ifallthe virtual parties inS0output

binΠ. Otherwise, it outputs⊥.

(b) PartyP10 selects a subset S1 ⊆I1 of the (virtual) parties under

its control by adding eachPi(fori∈I1) with probability 2rmi (as before,i6∈H1/2

n and hence 2rimis a valid probability). P10outputs the bitb∈ {0,1}ifallthe virtual parties inS

1

output binΠ. Otherwise, it outputs⊥.

3.3 Tightness of the Feasibility and Impossibility Results

Our feasibility result states that if there exists a series of subsets{Tn}n∈N(each Tn ⊆[m(n)]) such that

(∆_Tn)2

|Tn| =ω(logn), then there exists a secure protocol.

In contrast, our impossibility result states that if for infinitely many n’s, the probability that all parties in H1/2

n are corrupted is 1/p(n), then there exists no protocol. In this section, we clarify the relation between these two results.

Constant reputations. We consider the case that all reputations are con-stant. This is somewhat tricky to define since the reputation vectors are modeled asymptotically themselves (each vector of lengthm(n) can have different values and thus can depend onn). We therefore define “constant” by saying that there exists a finite setR={r1, . . . , rL}such that all reputation values (in all vectors) inRepare inR, and 1∈ R/ (if 1∈ Rthen this is an uncorruptible trusted party and secure computation is trivial). In this case, we say that Rep has constant reputations. We have the following theorem:

Theorem 3.9 Let m(·) be a polynomial, and let Rep be a family of constant

reputations. Then, there exist protocols for securely computing every PPT family of functionalitiesF with respect to(m(·),Rep), if and only if it holds that|H1/2

n |=

(16)

Proof: The existence of protocols for every family of functionalities F when |H1/2

n | = ω(logn) can be seen as follows. Let r be the smallest value greater than 1/2 in R. This implies that all reputations inH1/2

n for all nare at leastr. Thus,∆_H1/2

n =

P i∈H1n/2

rm_i (n)−1 2

≥P

i∈H1n/2 r−

1 2

=|H1/2

n | · r−12

. Now,

take Tn = H1n/2 and we have that

(∆_Tn)2

|Tn| ≥

|Tn|2·(r−12) 2

|Tn| = |Tn| · r−

1 2

2 =

ω(logn), where the last equality holds because (r−1/2)2 _{is constant, and by}

the assumption |Tn|=|Hn1/2|=ω(logn). Thus, by Corollary 3.6, there exists a protocol for every familyF.

For the other direction, assume that it is not the case that|H1/2

n |=ω(logn), for every n. This implies that there exists a constant c such that for infinitely many n’s, |H1/2

n | ≤ c·logn. Now, let r0 be the highest value in R. It follows that for every i ∈ H1/2

n , ri ≤ r0. Thus, for infinitely many n’s the probability that all parties in H1/2

n are corrupted is at least (1−r0)−c·logn. Since (1−r0) is constant, (1−r0)−c·logn _{is 1}_/_poly(_n_{). Thus, by Theorem 3.7, there exists no} protocol for coin-tossing (and so it does not hold that all functionalities can be securely computed).

We conclude that in the case of constant reputations, our results are tight. In the full version we give an example of a family of reputation vectors with non-constant reputations, for which neither our upper bound nor lower bound applies.

4 Secure Computation with Correlated Reputations

Until now, we have considered reputation systems where the probability that each party is corrupted is independent of the probability that all other parties are corrupted. This follows directly from how we define reputation systems (and, indeed, the way these systems are typically defined in other fields). A natural question that arises is what happens when the probabilities that parties are corrupted arenot independent; that is, when there is a correlation between the probability that some party Pi is corrupted and the probability that some Pj (or some subset of other parties) is corrupted. In this section we take a first step towards exploring the feasibility of fair secure computation with correlated reputation systems.

We begin by extending Definition 2.4 to this more general case. First, observe that a reputation system can no longer be represented as a vector of probabilities, since this inherently assumes independence. (Specifically, no vector can represent a corruption situation where with probability 1/2 both parties P1 and P2 are corrupted and with probability 1/2 they are both honest.) Thus, we represent a reputation system with m =m(n) parties where m :N → Nis bounded by a polynomial innby a probabilistic polynomial-time sampling machineM that receives the security parameter n∈Nand outputs a setI ⊆[m(n)], such that

Pi is corrupted ifi∈I. We call (m, M) thereputation system.

(17)

system (m, M) if all is the same as in Definition 2.4 except that the set I of corrupted parties is chosen by runningM(1n_).

We remark that unlike the case ofreputation vectors, it does not suffice to look at the expected number of honest parties here. In order to see this, consider the case of m parties such that with probability 1/100 all the parties but one are corrupted, and with probability 99/100 all the parties are honest. According to this, the expected number of honest parties is 1·1/100 + 99/100·mwhich is greater than 0.99m. Nevertheless, the probability that there is a dishonest ma-jority is 1/100 which is clearly non-negligible. Thus, in the setting of correlated reputations where there is dependency between parties, a high expected number of honest parties does not imply that there is an honest majority except with negligible probability.

We show that when the “amount of dependence” between the parties is limited, then it is possible to obtain fair secure computation. In a nutshell, we show that if each party is dependent on at most`(m) other parties, where`(m) is some function, and the expected number of honest parties in a sampling byM is

m

2 +ω(`(m)·

√

mlogm), then there is an honest majority except with negligible probability. Given this fact, it is possible to run any multiparty computation protocol that is secure with an honest majority. Thus, in contrast to the above example, we conclude that when dependence is limited, it is possible to use the expected number of honest parties in order to bound the probability of a dishonest majority. This is a direct generalization of Theorem 3.3, where the bound in Theorem 3.3 is obtained by setting `(m) = 1.This result is proven by defining a martingale based on the random variables indicating the corruption status of each party, and then applying Azuma’s inequality. We also consider a generalization of our model, where a party can be correlated also with all other

m−`(m) parties, but only to a very small extent. In addition, as with the case of reputation vectors, we also show how to extend this result to the case of a large enough subset with high enough expectation.

Another way to interpret the aforementioned result is as follows. In practical applications the reputation system is usually represented as a vector, although dependency between the parties may exist. Thus, the parties do not have all the information about the honesty of the parties. However, our analysis shows that the vector of reputations alone may still be useful. By linearity of expectation, the expected number of honest parties is the sum of reputations even if those are somehow dependent. Therefore, if this sum is large enough, honest majority is guaranteed except with negligible probability, even if there exists some corre-lation between the parties. (where the allowed correcorre-lation can be obtained from the sum of reputations and the number of parties).

We now provide our definition for “limited correlations” and a formal state-ment of the main result. The full proof, together with additional results appear in the full version of this paper.

(18)

It is important to note that in our context the naive approach of saying thatPi andPjare dependent if the random variablesXiandXjare dependent doesnot suffice. In order to see this, assume that there are three parties P1,P2 andP3,

such thatP3is honest if and only if only one ofP1andP2is honest, and thatP1

and P2 are honest with probability 1/2 (independently of each other). Clearly, by the standard notion of dependenceP1andP2are independent. However, the honesty or lack thereof ofP1 andP2 is influenced byP3; stated differently, the random variablesX1andX2arenot independentwhen conditioning onX3. Since we need to consider the global context of who is honest and who is corrupted, in such a case we should define thatP1 andP2 are correlated.

Based on the above discussion, we define a new notion of dependency that we callcorrelation amongstP, whereP ={P1, . . . , Pm}is the set of all parties. Intuitively, we say that a pair of partiesPi and Pj are correlated amongstP if there exists a subset of parties inP such that the random variables Xi andXj are not independent when conditioning on the corruption status of the parties in the subset. We stress thatPiandPjare correlated as soon as the above holds for any subset. We believe that this is quite a natural definition that captures the intuitive meaning of dependence where the probability that a party is corrupted can depend on coalitions amongst other parties and whether or not they are corrupted. Formally:

Definition 4.1 (Correlated Amongst P) Let (m, M) be a reputation sys-tem. We say that parties Pi and Pj are correlated amongst P if there exists a

subsetS ⊆[m], and Boolean valuesbi, bj,{bk}k∈S such that

PrhXi=bi∧Xj=bj

{Xk=bk}k∈S i

6

= PrhXi=bi

{Xk =bk}k∈S i

·PrhXj =bj

{Xk=bk}k∈S i

.

LetD(i) be the set of all partiesPjfor whichPiandPjare correlated amongst P. Intuitively, we say that a reputation system has an`-limited correlation if for every iit holds that the size ofD(i) is at most`; that is the number of parties with which any partyPi is correlated is at most`.

Definition 4.2 (`-Limited Correlation) Let (m, M) be a reputation system and`=`(m). We say that(m, M)has an`-limited correlationif for everyi∈[m], it holds that |D(i)| ≤`(m).

An honest majority in `-limited correlated reputation systems. We show that if the expected number of honest parties in an `-limited correlated reputation systems is large enough, as a function of m and `, then an honest majority is guaranteed except with negligible probability. The proof of this fact uses martingales and Azuma’s inequality, and appears in the full version of this paper. Recall thatXi is a random variable that equals 1 whenPi is honest; thus Pm

i=1Xi gives the number of honest parties. We show that the probability that

(19)

Theorem 4.3 Letm:_N→_Nbe a function such that O(logm(n)) =O(logn), let (m(n), M) be a family of reputation systems, and let ` =`(m) where m =

m(n). If(m(n), M)has an`-limited correlation and

E "m

X

i=1 Xi

# ≥ m

2 +ω

`(m)·pmlogm,

then there exists a negligible functionµ(·) such that for everyn,

Pr "m

X

i=1 Xi≤

m

2 #

< µ(n).

The full proof and additional results appear in the full version of the paper.

5 Reputation and Covert Security

In the model of secure computation in the presence of covert adversaries [1], the security guarantee is that if a party cheats then it will be detected cheating with some probability(this probability is called the deterrent). The deterrent parametercan be tailored depending on the requirements. For= 1/2, the cost of computing is between 2 and 4 times the cost of protocols that are secure for semi-honest adversaries. Thus, this is much more efficient than security in the presence of malicious adversaries. The model of covert adversaries isparticularly suited to a setting with reputation systems since if cheating is detected, then an immediate “punishment” can be incurred via a report to the reputation system manager. Thus, the use of protocols that are secure for covert adversaries makes real sense here.

In addition to the above, we observe that great efficiency can be obtained by using the protocol of [9]. This protocol assumes an honest majority and obtains security in the presence of covert adversaries with deterrent 1₄, at just twice the cost of obtaining information-theoretic security in the semi-honest model. Thus, this protocol is extremely efficient. Combining this with the fact that it is possible to run the protocol on the smallest subset that yields an honest majority except with probability below the allowed error δ (see Section 3.1), we have that large-scale computation involving many thousands of participants can be efficiently computed by taking a much smaller subset to run the protocol of [9].

References

1. Y. Aumann and Y. Lindell. Security Against Covert Adversaries: Efficient Pro-tocols for Realistic Adversaries. In 4th TCC, Springer-Verlag (LNCS 4392), pages 137-156, 2007.

2. M. Babaioff, J. Chuang and M. Feldman. Incentives in Peer-to-Peer Systems. In

(20)

3. M. Ben-Or, S. Goldwasser and A. Wigderson. Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation. In 20th STOC,pages 1–10, 1988.

4. P. Bogetoft, D.L. Christensen, I. Damg˚ard, M. Geisler, T.P. Jakob-sen, M. Kroigaard, J.D. NielJakob-sen, J.B. NielJakob-sen, K. NielJakob-sen, J. Pagter, M.I. Schwartzbach and T. Toft. Secure Multiparty Computation Goes Live. InFinancial Cryptography, pages 325–343, 2009.

5. D. Bogdanov, S. Laur and J. Willemson. Sharemind: A Framework for Fast Privacy-Preserving Computations. In the 13th ESORICS, Springer (LNCS 5283), pages 192–206, 2008.

6. R. Canetti. Security and Composition of Multiparty Cryptographic Protocols.

Journal of Cryptology, 13(1):143–202, 2000.

7. D. Chaum, C. Cr´epeau and I. Damg˚ard. Multi-party Unconditionally Secure Protocols. In 20th STOC, pages 11–19, 1988.

8. R. Cleve. Limits on the Security of Coin Flips when Half the Processors are Faulty. In 18th STOC,pages 364–369, 1986.

9. I. Damg˚ard, M. Geisler and J.B. Nielsen. From Passive to Covert Security at Low Cost. In the 7th TCC, Springer (LNCS 5978), pages 128–145, 2010. 10. I. Damg˚ard and Y. Ishai. Constant-Round Multiparty Computation Using a

Black-Box Pseudorandom Generator. InCRYPTO 2005, Springer (LNCS 3621), pages: 378–394, 2005.

11. D. Dubhashi and A. Panconesi. 2009.Concentration of Measure for the Analysis of Randomized Algorithms (1st ed.). Cambridge University Press, New York, NY, USA.

12. E. Friedman, P. Resnick and R. Sami. Manipulation-Resistant Reputation Sys-tems. InAlgorithmic Game Theory (Chapter 27), Cambridge University Press, 2007.

13. O. Goldreich.Foundations of Cryptography: Volume 1 – Basic Tools.Cambridge University Press, 2001.

14. O. Goldreich. Foundations of Cryptography: Volume 2 – Basic Applications. Cambridge University Press, 2004.

15. O. Goldreich, S. Micali and A. Wigderson. How to Play any Mental Game – A Completeness Theorem for Protocols with Honest Majority. In 19th STOC,

pages 218–229, 1987. For details see [14].

16. V. Goyal, P. Mohassel and A. Smith. Efficient Two Party and Multi Party Computation Against Covert Adversaries. In EUROCRYPT 2008, Springer-Verlag (LNCS 4965), pages 289–306, 2008.

17. S. Halevi, Y. Lindell, and B. Pinkas. Secure Computation on the Web: Com-puting without Simultaneous Interaction. InCRYPTO 2011, Springer (LNCS 6841), pages 132–150, 2011.

18. Y. Ishai, J. Katz, E .Kushilevitz, Y. Lindell and E. Petrank. On Achieving the ”Best of Both Worlds” in Secure Multiparty Computation. InSIAM J. Comput.

40(1), pages 122–141, 2011.

19. W. Hoeffding. Probability Inequalities for Sums of Bounded Random Variables. InJournal of the American Statistical Association, 58(301):13-30, March 1963. 20. M. Mitzenmacher and E. Upfal. 2005.Probability and Computing: Randomized Algorithms and Probabilistic Analysis. Cambridge University Press, New York, NY, USA.